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DETAILED ACTION 
Response to Arguments 

1. Applicant's arguments with respect to claims 1-15, 17-62, 64-80 and 82-88 have been 
considered but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

3. Claims 1-5, 10-15, 17-25, 28-62, 64-80, 82-88 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Leporini et al (U.S. PG Pub No. 2003/0182579) in view of Pensak et al 
(U.S. PG Pub No. 2002/0029340). 

4. As per claim 1, Leporini et al teach a method for providing access control management 
to electronic data, the method comprising establishing a secured link with a client machine when 
an authentication request is received from the client machine, the authentication request 
including an identifier identifying a user of the client machine to access the electronic data, 
wherein the electronic data is secured in a format including security information and an 
encrypted data portion, the security information including file key and access rules and 
controlling restrictive access to the encrypted data portion authenticating the user according to 
the identifier (see paragraphs 0003, 0004, 0008, 0015, 0024, 0027, 0036, 0041-0046, 0052, 0203, 
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0437). Leporini et al fail to teach activating a user key after the user is authenticated, wherein the 
user key is used to access the access rules in the security information the file key can be retrieved 
to decrypt the encrypted data portion only if access privileges of the user is successfully 
measured by the access rules. However, Pensak et al teach an inventive concept of teach 
activating a user key after the user is authenticated, wherein the user key is used to access the 
access rules in the security information the file key can be retrieved to decrypt the encrypted data 
portion only if access privileges of the user is successfully measured by the access rules 
(paragraphs 0016, 0017, 0019). Therefore, it would have been obvious to one of ordinary skill in 
the art at the time the invention was made to modify Leporini et al's inventive concept to include 
Pensak et al inventive concept teach activating a user key after the user is authenticated, wherein 
the user key is used to access the access rules in the security information the file, key can be 
retrieved to decrypt the encrypted data portion only if access privileges of the user is successfully 
measured by the access rules because this would have ensured the information transmitted, 
received and/or stored by the system remains secure against unauthorized use and unlawful 
access. 

5. As per claim 2, Leporini et al teach a method comprising maintaining an access control 
management, wherein the access control management comprises a rule manager including at 
least one set of rules for the electronic data; and an administration interface from which the rules 
for a designated place for the electronic data are created, managed, or updated (see paragraphs 
0003, 0004, 0008, 0015, 0024, 0027, 0036, 0041-0046, 0052, 0203, 0437). 
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6. As per claim 3, Leporini et al teach a method wherein the designated place is a folder 
and all files in the folder are subject to the rules (see paragraphs 0003, 0004, 0008, 0015, 0024, 
0027, 0036, 0041-0046, 0052, 0203, 0437). 

7. As per claim 4, Leporini et al teach a method wherein the designated place is a 
repository and all files in the repository are subject to the rules (see paragraphs 0003, n 0004, 

0008. 0015, 0024, 0027, 0036, 0041-0046, 0052, 0203, 0437). 

8. As per claim 5, Leporini et al teach a method wherein the rule manager provides a 
graphic user interface from which the rules can be created, managed or updated (see paragraphs 

0003, 0004, 0008, 0015, 0024, 0027, 0036, 0041-0046, 0052, 0203, 0437). 

9. As per claim 10, Leporini et al teach a -method wherein the access control management 
further comprises a user manager coupled to a database including a list of authorized users and 
respective access privileges associated with each of the authorized users (see paragraphs 0003, 

0004, 0008, 0015, 0024, 0027, 0036, 0041-0046, 0052, 0203, 00437). 

10. As per claim 11, Leporini et al teach a method wherein the authenticating of the user 
comprises looking up in the database for the user; and getting, from the database, access location 
information as to where the user is authorized to access the electronic data if information about 
the user is located in the database (see paragraphs 0003, 0004, 0008, 0015, 0024, 0027, 0036, 
0041-0046, 0052, 0203, 00437). 
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11. As per claim 12, Leporini et al teach a method wherein the identifier further identifiers 
the client machine; and wherein the authenticating of the user comprises determining, from the 
access location information, whether the client machine is permitted by the user to access the 
electronic data (see paragraphs 0003, 0004, 0008, 0015, 0024, 0027, 0036, 0041-0046, 0052, 
0203,00437). 

12. As per claim 13, Leporini et al teach a method wherein the access location information 
pertains to locations or specific client machines from which the user is authorized to access the 
electronic data (see paragraphs 0003, 0004, 0008, 0015, 0024, 0027, 0036, 0041-0046, 0052, 
0203,00437). 

13. As per claim 14, Leporini et al teach a method wherein the user key is in the client 
machine; and wherein the activating of the user key comprises sending an authentication 
message to the client machine; and activating the user key with the authentication message (see 
paragraphs 0003, 0004, 0008, 0015, 0024, 0027, 0036, 0041-0046, 0052, 0203, 00437). 

14. As per claim 15, Leporini et al teach a method wherein the electronic data, when 
secured, includes a header that further includes the security information being encrypted and a 
signature signifying that the electronic data is secured (see paragraphs 0003, 0004, 0008, 0015, 
0024, 0027, 0036, 0041-0046, 0052, 0203, 00437). 
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15. As per claim 17, Leporini et al teach a method comprising associating the activated user 
key with the user locally (see paragraphs 0003, 0004, 0008, 0015, 0024, 0027, 0036, 0041-0046, 
005200203,00437). 

16. As per claim 18, Leporini et al teach a method wherein the electronic data, when 
secured, includes a header that includes the security information being encrypted and a signature 
signifying that the electronic data is secured; the encrypted security information including the 
access rules and a file key, and wherein the method further comprises receiving the header from 
the client machine, decrypting the security information in the header to retrieve the access rules 
therein; and retrieving the file key when the access rules are measured successfully against 
access privilege of the user (see paragraphs 0003, 0004, 0008, 0015, 0024, 0027, 0036, 0041- 
0046, 0052, 0203, 0437). 

17. As per claim 19, Leporini et al teach a method further comprising sending the file key to 
the client machine in which the encrypted data portion can be decrypted with the file key by a 
cipher module executing in the client machine (see paragraphs 0003, 0004, 0008, 0015, 0024, 
0027, 0036, 0041-0046, 0052, 0203, 0437). 

18. As per claim 20, Leporini et al teach a method for providing access control management 
to electronic data, the method comprising authenticating a user attempting to access the 
electronic data; maintaining a private key and a public key, both associated with the user, 
wherein the electronic data, when secured, includes a header and an encrypted data portion, the 
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header further includes security information controlling who, how, when and where the secured 
electronic data can be accessed and the encrypted data portion is an encrypted version of the 
electronic data according to a predetermined cipher scheme (see paragraphs 0003, 0004, 0008, 
0015, 0024, 0027, 0036, 0041-0046, 0052, 0203, 0437). Leporini et al fail to teach encrypting 
the security information with the public key when the electronic data is to be written into a store, 
and decrypting the security information with the private key when the electronic data is to be 
accessed by an application. However, Pensak et al teach encrypting the security information with 
the public key when the electronic data is to be written into a store, and decrypting the security 
information with the private key when the electronic data is to be accessed by an application 
(paragraphs 0016, 0017, 0019). Therefore, it would have been obvious to one of ordinary skill in 
the art at the time the invention was made to modify Leporini et al's to include Pensak et al 
inventive concept encrypting the security information with the public key when the electronic 
data is to be written into a store, and decrypting the security information with the private key 
when the electronic data is to be accessed by an application because this would have this would 
have ensured the information transmitted, received and/or stored by the system remains secure 
against unauthorized use and unlawful access. 

19. As per claim 21, Leporini et al teach a method wherein the authentication of the user 
comprises establishing a link with a client machine from which the user is attempting to access 
the electronic data, demanding credential information from the user, and receiving the credential 
information from the client machine over the link (see paragraphs 0003, 0004, 0008, 0015, 
0024,0027, 0036, 0041-0046, 0052, 0203, 0437). 



Application/Control Number: 10/076,254 
Art Unit: 3621 



Page 8 



20. As per claim 22, Leporini et al teach a method wherein the credential information 
includes a pair of username and password provided by the user (see paragraphs 0003, 0004, 
0008, 0015, 0024, 0027, 0036, 0041-0046, 0052, 0203, 0437). 

21 . As per claim 23, Leporini et al teach a method wherein the credential information 
includes biometric information captured from the user by an apparatus coupled to the client 
machine (see paragraphs 0003, 0004, 0008) 0015, 0024, 0027, 0036, 0041-0046, 0052, 0203, 
0437). 

22. As per claim 24, Leporini et al teach a method wherein the encrypting of the security 
information with the public key comprises receiving access rules and a file key, wherein the file 
key has been used to produce the encrypted data portion in the client machine, including the 
access rules and the file key into the security information; and encrypting the security 
information with the public key (see paragraphs 0003, 0004, 0008, 0015, 0024, 0027, 0036, 
0041-0046, 0052, 0203, 0437). 

23. As per claim 25, Leporini et al teach a method comprising, generating the header with 
the security information encrypted therein; and uploading the header to the client machine where 
the header is integrated with the encrypted data portion (see paragraphs 0003, 0004, 0008, 0015, 

0024. 0027, 0036, 0041-0046, 0052, 0203, 0437). 
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24. As per claim 28, Leporini et al teach a method wherein the decrypting of the security 
information with the private key comprises receiving the header from the client machine over the 
link; parsing the security information from the header; and decrypting the security information 
with the private key (see paragraphs 0003, 0004, 0008, 0015, 0024, 0027, 0036, 0041-0046, 
0052, 0203, 0437). 

25. As per claim 29, Leporini et al teach a method further comprising: obtaining access rules 
from the security information; determining whether the access rules accommodate access 
privilege of the user, when the determining succeeds, retrieving a file key from the security 
information; and sending the file key to the client machine over the link when the determining 
fails, sending an error message to the client machine over the link (see paragraphs 0003, 0004, 
0008, 0015, 0024, 0027, 0036, 0041-0046, 0052, 0203, 0437). 

26. As per claim 30, Leporini et al teach a method wherein the error message indicates that 
the user does not have the access privilege to access the electronic data (see paragraphs 0003, 
0004, 0008, 0015, 0024, 0027, 0036, 0041-0046; 0052, 0203, 0437). 

27. As per claim 31, Leporini et al teach a method for providing access control management 
to electronic data, the method comprising receiving a request to access the electronic data; 
determining security nature of the electronic data; when the security nature indicates that the 
electronic data is secured, the electronic data including a header and an encrypted data portion, 
the header including security information controlling restrictive access to the encrypted data 
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portion and the encrypted data portion is an encrypted version of the electronic data according to 
a predetermined cipher scheme (see paragraphs 0003, 0004,, 0008, 0015, 0024, 0027, 0036, 
0041-0046, 0052, 0203, 0437), Leporini et al fail to teach determining from the security 
information if the user has necessary access privilege to access the encrypted data portion and 
decrypting the encrypted data portion only after the user is determined to have the necessary 
access privilege to access the encrypted data portion. However, Pensak et al teach determining 
from the security information if the user has necessary access privilege to access the encrypted 
data portion and decrypting the encrypted data portion only after the user is determined to have 
the necessary access privilege to access the encrypted data portion (paragraphs 0016, 0017, 
0019). Therefore, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify Leporini et al's invention to include Pensak et al inventive concept 
of determining from the security information if the user has necessary access privilege to access 
the encrypted data portion and decrypting the encrypted data portion only after the user is 
determined to have the necessary access privilege to access the encrypted data portion because 
this would have ensured the information transmitted, received and/or stored by the system 
remains secure against unauthorized use and unlawful access. 

28. As per claim 32, Leporini et al teach a method further comprising retrieving a user key 
associated with a user making the request (see paragraphs 0003, 0004, 0008, 0015, 0024, 0027, 
0036, 0041-0046, 0052, 0203, 0437). 
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29. As per claim 33, Leporini et al teach a method wherein said determining from the 
security information if the user has necessary access privilege comprises decrypting the security 
information with the user key; retrieving access rules from the security information; and 
measuring the access rules against the access privilege of the user (see paragraphs 0003, 0004, 
0008, 0015, 0024, 0027, 0036, 0041-0046, 0052, 0203, 0437). 

30. As per claim 34, Leporini et al teach a method further comprising retrieving a file key 
from the security information if the measuring of the access rules against the access privilege 
succeeds (see paragraphs 0003, 0004, 0008, 0015, 0024, 0027, 0036, 0041-0046, 0052, 0203, 
0437). 

31. As per claim 35, Leporini et al teach a method further comprising causing the client 
machine to display an error message to the user if the measuring of the access rules against the 
access privilege fails (see paragraphs 0003, 0004, 0008, 0015, 0024, 0027, 0036, 0041-0046, 
0052, 0203, 0437). 

32. As per claim 36, Leporini et al teach a method wherein the retrieving of the user key 
comprises establishing a link with a server executing an access control management; sending to 
the server an authentication request including an identifier identifying the user for the access 
control management to authenticate the user forwarding the header to the server; and receiving a 
file key retrieved from the header (see paragraphs 0003, 0004, 0008, 0015, 0024, 0027, 0036, 
0041-0046, 0052, 0203, 0437). 
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33. As per claim 37, Leporini et al teach a method of activating a cipher module and 
decrypting the encrypted data portion by the cipher module with the received file key (see 
paragraphs 0003, 0004, 0008, 0015, 0024, 0027, 0036, 0041-0046, 0052, 0203, 0437). 

34. As per claim 38, Leporini et al teach a method comprising loading the decrypted data 
portion into the application (see paragraphs 0003, 0004, 0008, 0015, 0024, 0027, 0036, 0041- 
0046,0052, 0203,00437). 

35. As per claim 39, Leporini et al teach a method wherein the retrieving of the user key 
comprises establishing a link with a server executing an access control management; sending to 
the server an authentication request including an identifier identifying the user for the access 
control management to authenticate the user, receiving an authentication message after the user 
is authenticated; and activating the user key locally in the client machine (see paragraphs 0003, 
0004, 0008, 0015, 0024, 0027, 0036, 0041-0046, 0052, 0203, 0437). 

36. As per claim 40, Leporini et al teach a method wherein the user key is in an illegible 
format before the activating of the user key locally in the client machine (see paragraphs 0003, 
0004, 0008, 0015, 0024, 0027, 0036, 0041-0046, 0052, 0203, 0437). 
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37. Claims 6-9, 26 and 27 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Leporini et al (U. S. PG Pub No. 2003/00182579) in view of Pensak et al (U. S. PG Pub No. 
2002/0029340) in further view of Ozog et al (U.S. PG Pub 2003/0033528). 

38. As per claim 6-9, 26 and 27, the combination of Leporini et al and Pensak to et al fails to 
teach a method wherein parameters determining the rules from the graphic user interface are 
subsequently expressed in a markup language uploaded to the client machine after the user is 
authenticated Extensible Access Control Markup Language selected from a group consisting of 
HTML, XML and SGML. However, Ozog et al teach a method wherein parameters determining 
the rules from the graphic user interface are subsequently expressed in a markup language 
uploaded to the client machine after the user is authenticated Extensible Access Control Markup 
Language selected from a group consisting of HTML, XMI, and SGML (see paragraph 0059, 
0060, 0108, 01 10, 01 13). Therefore, it would have been obvious to one ordinary skill in the art at 
the time the invention was made to modify the combination of Leporini et al and in view of 
Pensak et al's inventive concept to include Ozog et al's a method wherein parameters determining 
the rules from the graphic user interface are subsequently expressed in a markup language 
uploaded to the client machine after the user is authenticated Extensible Access Control Markup 
Language selected from a group consisting of HTML, XML and SGML because this would have 
facilitate the viewing of the access rules. 

39. As per claim 41-88, they disclose the same invention as in claims 1-40 and do not further 
limit the claimed invention, therefore, they are rejected under the same rationale. 
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Conclusion 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to FIRMN BACKER whose telephone number is 571-272-6703. 
The examiner can normally be reached on Monday - Thursday 9:00 AM - 5:00 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, James Trammell can be reached on (571) 272-6712. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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